Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4534482rwb;
        Tue, 8 Nov 2022 19:18:51 -0800 (PST)
X-Google-Smtp-Source: AMsMyM4ToxL9GRZZzb4GHCMhb2PyzxFI8qJcO/MSWXialAStoRfTk12JV800muLzmsktqQ90vfcg
X-Received: by 2002:a05:6402:f2a:b0:461:eff7:bae8 with SMTP id i42-20020a0564020f2a00b00461eff7bae8mr58091352eda.322.1667963930913;
        Tue, 08 Nov 2022 19:18:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1667963930; cv=none;
        d=google.com; s=arc-20160816;
        b=wwgW3d03m/kbU1A84W3ccFMENe70spoFcEhYgr5de5/J6TAcXK4g7FpplemBLzPCL3
         YPPopMOiCIsTEHW7Q2vWhCvmOjDTNpuy1ZRG0SrRHoNzC6PUDFHGjt8y7DYltkI7mXWk
         kXBD4QjTj8VjY1/FTyAHJzGxyMqTx6ztMT/nx5ncsd88q+M2kQMfginuglKy0ezaTb/o
         rJ7gorG9XskwuaRrB1HNKg8qVqi5wthCmDETBw7+1Kek3zF1OrYtN1KsjJdSx8k7UxLB
         pOGhaNa549Tk5PxOgio+Yi1ulOB+RtsuG3OIJ6MSJpeHuruNMojmePJ3VF18JqfZMTUx
         3yRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:dkim-signature
         :from;
        bh=pThIV6ZJIePPLNUvG+CmMKKFXYuBGFqXUhLnpagIMu0=;
        b=bj47ziuArVKl5FaanOVZJ2MLzp0UViJp2aBrU1ac316N5JXywUhOlCyQE8XJX1c1y6
         fpBp/7SZtcQF8x8fx1uxWpPKGBoYPNrm7/sovRDHZIQPHCDsuku0OPXFTwOlbWDhREaW
         +SGfo23YVMcnSuJ5AeNsK8V1+GN3FfHedG57pMrFv1ouPFbUBgZW7Q6y1yuI6NQq39lg
         Wg6x+Lv+YnC9MOedkDJ4HM/mvQJTbwHLeLgEi74MqeDCXQ1xhYf7kYcqDOMww0QHtkmH
         uNBARKDQWC0fTq7ehRd5zkuuy/EoOhf1eSBmtg52KW7uUC95n+f+xYmKDCMBPUwtn0DG
         D1Pg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@weissschuh.net header.s=mail header.b=S4RyJ1wz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id cw20-20020a170906479400b0079dc9dcbbb6si14651327ejc.337.2022.11.08.19.18.28;
        Tue, 08 Nov 2022 19:18:50 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@weissschuh.net header.s=mail header.b=S4RyJ1wz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229470AbiKICui (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 93 others); Tue, 8 Nov 2022 21:50:38 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41800 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229705AbiKICue (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Nov 2022 21:50:34 -0500
Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFCFA1F62F;
        Tue,  8 Nov 2022 18:50:32 -0800 (PST)
From:   =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net;
        s=mail; t=1667962230;
        bh=5ie3Yn8WEIYoQFT16uM/WFQsRiA4aQakHFCHCuSu24o=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=S4RyJ1wzsu+CpZMBbNLMM2Rag3TXO+Xb3KPkzsImCQFf5lvbhoyLEXMvCLg+y4W4P
         s5eZT9wXxoZDpGbOcLoHawu1teXnAudH1mwzGMMXEy1x3Gm9jXVBZh0duYW9j9jTQj
         x4kZPMShWc4wEdNpenaPh88pLrVCr8Ta8dsMZghY=
To:     =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>,
        David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        Eric Snowberg <eric.snowberg@oracle.com>
Cc:     =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>,
        keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mark Pearson <markpearson@lenovo.com>,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org
Subject: [PATCH v2 3/3] certs: don't try to update blacklist keys
Date:   Wed,  9 Nov 2022 03:50:19 +0100
Message-Id: <20221109025019.1855-4-linux@weissschuh.net>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221109025019.1855-1-linux@weissschuh.net>
References: <20221109025019.1855-1-linux@weissschuh.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Developer-Signature: v=1; a=ed25519-sha256; t=1667962214; l=1899; s=20211113; h=from:subject; bh=5ie3Yn8WEIYoQFT16uM/WFQsRiA4aQakHFCHCuSu24o=; b=OUVFxglzNA9V+JeUq6PfXkiyi8NjbHyOn/P067eIM9yuQtAu1elOs+T/uDNnoy72YvI6yHQrLyma IEfj5nx7Dt2CnrEBvK0SE2q0NTMjoP3maKxCmE9wV84O9Uf12dvH
X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=9LP6KM4vD/8CwHW7nouRBhWLyQLcK1MkP6aTZbzUlj4=
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When the same key is blacklisted repeatedly we don't want to log an
error. These duplicates can be provided by buggy firmware. Instead of
spamming the bootlog with errors we use a warning that can still be seen
by OEMs when testing.

Also extend BLACKLIST_KEY_PERM as otherwise the EACCES will shadow the
EEXIST.

Link: https://lore.kernel.org/all/c8c65713-5cda-43ad-8018-20f2e32e4432@t-8ch.de/
Link: https://lore.kernel.org/all/20221104014704.3469-1-linux@weissschuh.net/
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
 certs/blacklist.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/certs/blacklist.c b/certs/blacklist.c
index 6e260c4b6a19..ac8e3166b6d7 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -26,7 +26,7 @@
  */
 #define MAX_HASH_LEN	128
 
-#define BLACKLIST_KEY_PERM (KEY_POS_SEARCH | KEY_POS_VIEW | \
+#define BLACKLIST_KEY_PERM (KEY_POS_WRITE | KEY_POS_SEARCH | KEY_POS_VIEW | \
 			    KEY_USR_SEARCH | KEY_USR_VIEW)
 
 static const char tbs_prefix[] = "tbs";
@@ -183,16 +183,19 @@ static int mark_raw_hash_blacklisted(const char *hash)
 {
 	key_ref_t key;
 
-	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
-				   "blacklist",
-				   hash,
-				   NULL,
-				   0,
-				   BLACKLIST_KEY_PERM,
-				   KEY_ALLOC_NOT_IN_QUOTA |
-				   KEY_ALLOC_BUILT_IN);
+	key = key_create(make_key_ref(blacklist_keyring, true),
+			 "blacklist",
+			 hash,
+			 NULL,
+			 0,
+			 BLACKLIST_KEY_PERM,
+			 KEY_ALLOC_NOT_IN_QUOTA |
+			 KEY_ALLOC_BUILT_IN);
 	if (IS_ERR(key)) {
-		pr_err("Problem blacklisting hash %s: %pe\n", hash, key);
+		if (PTR_ERR(key) == -EEXIST)
+			pr_warn("Duplicate blacklisted hash %s\n", hash);
+		else
+			pr_err("Problem blacklisting hash %s: %pe\n", hash, key);
 		return PTR_ERR(key);
 	}
 	return 0;
-- 
2.38.1